TACACS+ (Terminal Access Controller Access-Control System Plus) is commonly used to authenticatenetwork devices like routers and switches using a central server. Instead of using the local database on a router or switch, we can use the credentials that are stored on the TACACS+ server
- TACACS+ also allows us to configure authentication, authorization and accounting
- It works on TCP port 49
Step 1 : Install their software (rpm)
If you are in LinuxWorld India Lab, run
# yum install tac_plus
otherwise download “tac_plus” rpm from http://li.nux.ro/download/nux/misc/el6/x86_64/
Step 2: Configure file for tac plus according to your requirement
# vim /etc/tac_plus.conf
Step 3 : Setup key to authenticate tacacs+ server
# vim /etc/tac_plus.conf
key = “mysecretkey”
Same key must by set on all router or switches to get access this tacacs+ server, by below command
R1(config)#tacacs-server host 192.168.0.254
R1(config)#tacacs-server key 0 mysecretkey
where “192.168.0.254″ is tac_plus server ip
Step 4 : Setup centralized user and their privilege level on tacacs+ server
# vim /etc/tac_plus.conf
user = vimal {
login = cleartext cisco
login = cleartext cisco
service = exec {
priv-lvl =5
}
}
priv-lvl =5
}
}
Step 5 : Setup centralized Enable password per host basis on tacacs+ server
# vim /etc/tac_plus.conf
host = 10.0.0.151 {
enable = cleartext 123
}
enable = cleartext 123
}
or
host = 10.0.0.151 {
enable = des 4Pamse4fed123
}
enable = des 4Pamse4fed123
}
Generate above password with “tac_pwd” command and “10.0.0.151″ ip is the router or other network device
Step 6: Setup Router or switches to get authenticate from tacacs+ server
R1(config)#aaa new-model
R1(config)#aaa authentication login default group tacacs+ local
Step 7: Start tac plus server or daemon
# service tac_plus start
No comments:
Post a Comment